Skip to content

You are viewing documentation for Immuta version 2022.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Trino and Starburst Integration

Audience: System Administrators

Content Summary: This page describes the Trino and Starburst integration, through which Immuta applies policies directly in the user's native technology.

See the Trino integration page for a tutorial on enabling Trino or Starburst and these features through the App Settings page.

Overview

Immuta connects to Trino as a plugin integration. This allows Immuta to apply policies directly in Trino without data flowing through a proxy. Users can work within their existing Trino tooling (querying, reporting, etc.) and have per-user policies applied into views at query time.

Architecture

Once the plugin has been pushed out to all nodes, administrators create an immuta catalog that is managed by the custom Immuta Trino connector that generates the list of available schemas and views at query time based on the user making the request. When a user executes a query against one of the Immuta views, the connector dynamically generates the view definition and provides that to the Trino execution engine, which then connects to the backing catalogs and retrieves the data with appropriate policy enforcement.

Policy Enforcement

This integration uses an Immuta-Trino plugin to create policy-enforced view definitions that users access through an immuta catalog. When Trino tables are registered in Immuta as data sources, these data sources are dynamically generated as views in the immuta catalog on the Trino node. Then, users subscribed to those data sources in Immuta query the corresponding protected views in Trino.

Changes to policies, user attributes, or data sources registered in Immuta trigger webhooks that keep these views up-to-date, empowering users to query policy-enforced data.

Data Flow

  1. An Immuta Application Administrator configures the Trino integration, creating an Immuta catalog and connector on their Trino node.
  2. Immuta creates a catalog inside the configured Trino node.
  3. A Data Owner registers Trino tables in Immuta as data sources. A Data Owner, Data Governor, or Administrator creates or changes a policy or user in Immuta.
  4. Data source metadata, tags, user metadata, and policy definitions are stored in Immuta's Metadata Database.
  5. The Immuta connector generates and provides the view definition to the Trino Execution Engine.
  6. A Trino user who is subscribed to the data source in Immuta queries the corresponding table directly in Trino through the immuta database.
  7. Using the querying user's project, purpose, and entitlements, Immuta applies policies to the views at query time, so the user sees policy-enforced data.

Trino Integration